That's an interesting question to ask. As I see it, ci should produce good and final artifacts. This means that ci should also sign them in the pipeline. We can inject required keys and credentials with secret variables to make it work. These credentials are then only accessible to whoever has access to jenkins. I have right now no idea how the binaries are signed today. There surely are targets to do so but I have not found them, yet. Stefan, can you point me into the right direction?
Thanks matt for pointing out yet another thing that we are probably missing in the ci pipeline. On Tue, 12 Jun 2018, 18:54 Matt Sicker, <boa...@gmail.com> wrote: > Will you be signing and uploading them locally or via Jenkins? > > On Tue, Jun 12, 2018 at 10:05, Dominik Psenner <dpsen...@apache.org> > wrote: > > > Hi, > > > > our CI is ready to supply us with binaries along with the log4net > > website. This will be the first time that binaries from the CI are > > shipped as a release. Therefore we seek out for volunteers who evaluate > > the CI binaries [1]. Doing so is a great help and allows us to take the > > next steps of shipping the next release of log4net. > > > > Best regards, > > Dominik > > > > [1] > > > > > https://builds.apache.org/job/logging-log4net/job/develop/lastSuccessfulBuild/artifact/ > > > > > > -- > Matt Sicker <boa...@gmail.com> >
